Content

PWS-Onlinegames.e!c5e557dd

Type
Trojan
SubType
Password Stealer
Discovery Date
01/07/2008
Length
24,064 bytes
Minimum DAT
5201 (01/07/2008)
Updated DAT
5912 (03/06/2010)
Minimum Engine
5.1.00
Description Added
01/07/2008
Description Modified
01/07/2008 9:34 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update January 7, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

PWS-OnlineGames.e!c5e557dd is a password stealing trojan for online games including:

  • Lord of the Rings Online
  • World of Warcraft

This trojan was recently found installed via MS06-014, Exploit-RealPlay.c or Exploit-RealPlay web exploits when the following URL is accessed:

  • http://n.uc8010.com/[removed].htm

The following file is downloaded to:

  • %TEMP%\commomds.exe

This file will drop a DLL and inject it into Explorer.exe:

  • %WINDOWS%\System32\kb1111p.dll

(where %TEMP% is the user temporary directory e.g C:\Documents and Settings\USERNAME\Local Settings\Temp and %WINDOWS% is the Windows directory e.g C:\Windows)

Symptoms

  • Presence of previously mentioned files.
  • Presence of network connection to previously mentioned URL.

Method of Infection

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

PWS-OnlineGames.e!c5e557dd is a password stealing trojan for online games including:

  • Lord of the Rings Online
  • World of Warcraft

Characteristics

Characteristics -

--- Update January 7, 2008 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

PWS-OnlineGames.e!c5e557dd is a password stealing trojan for online games including:

  • Lord of the Rings Online
  • World of Warcraft

This trojan was recently found installed via MS06-014, Exploit-RealPlay.c or Exploit-RealPlay web exploits when the following URL is accessed:

  • http://n.uc8010.com/[removed].htm

The following file is downloaded to:

  • %TEMP%\commomds.exe

This file will drop a DLL and inject it into Explorer.exe:

  • %WINDOWS%\System32\kb1111p.dll

(where %TEMP% is the user temporary directory e.g C:\Documents and Settings\USERNAME\Local Settings\Temp and %WINDOWS% is the Windows directory e.g C:\Windows)

Symptoms

Symptoms -

  • Presence of previously mentioned files.
  • Presence of network connection to previously mentioned URL.

Method of Infection

Method of Infection -

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A